Pidgin-3 and browser plugins

Bjoern Voigt bjoernv at arcor.de
Mon Dec 16 18:14:38 EST 2013 

Bjoern Voigt wrote:
> Ethan Blanton write:
>> Daniel Atallah spake unto us the following wisdom:
>>> On Mon, Dec 16, 2013 at 5:03 AM, Bjoern Voigt <bjoernv at arcor.de> wrote:
>>>> sine some days I test the "Pipelight" browser plugin. During
>>>> Pipelight updates, I saw, that Pidgin loads this plugin. Why does
>>>> Pidgin need browser plugins? How can I disable this behavior?
>>> Pidgin has no knowledge of or interaction with your browser plugins (unless
>>> a third party pidgin plugin also has some sort interaction with the
>>> browser).
>>> What makes you think that "Pidgin loads this plugin"?
>> Pidgin 3, which is unreleased and unsupported, does of course use Web
>> Kit, which might load plugins that are installed for it (?).
> Thanks for all your tips.
>
> Now I think, that Webkit-GTK loads all my installed browser plugins:
>
> $ ldd /usr/local/pidgin-dev/bin/pidgin |grep webkitgtk
>         libwebkitgtk-3.0.so.0 => /usr/lib64/libwebkitgtk-3.0.so.0
> (0x00007fd0582dc000)
> $ strings /usr/lib64/libwebkitgtk-3.0.so.0|grep browser-plugins
> $ strace /usr/local/pidgin-dev/bin/pidgin 2>&1 |
> openat(AT_FDCWD, "/usr/lib64/browser-plugins",
> O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 24
> access("/usr/lib64/browser-plugins/libtotem-mully-plugin.so",
> F_OK) = 0
> access("/usr/lib64/browser-plugins/javaplugin.so", F_OK) = 0
> [...]
> open("/usr/lib64/browser-plugins/libtotem-gmp-plugin.so",
> O_RDONLY|O_CLOEXEC) = 24
> open("/etc/totem/browser-plugins.ini", O_RDONLY) = -1 ENOENT (No
> such file or directory)
>
> This leads me again to the question, if I can disable the
> function, that Pidgin indirectly over webkitgtk loads all my
> browser plugins.
>
> This may be a security topic. May be a buddy can send me HTML
> messages, which contain malicous code which can exploit security
> holes in browser plugins.
>
> Greetings,
> Björn
Sorry, the most important output was missing in my mail:

$ ldd /usr/local/pidgin-dev/bin/pidgin |grep webkitgtk
        libwebkitgtk-3.0.so.0 => /usr/lib64/libwebkitgtk-3.0.so.0
(0x00007fd0582dc000)
$ strings /usr/lib64/libwebkitgtk-3.0.so.0|grep browser-plugins
/usr/lib64/browser-plugins
/usr/lib/browser-plugins

Björn

More information about the Devel mailing list